Quantum-key distribution apparatus, quantum-key distribution method, and computer program product

ABSTRACT

According to an embodiment, a quantum-key distribution apparatus includes a quantum-key sharer, a shifter, a corrector, a privacy amplifier, and an estimator. The quantum-key sharer performs photon sharing processing and acquires a photon bit string. The shifter generates a shared bit string by performing shifting processing. The corrector generates a corrected bit string by correcting errors in the shared bit string by performing error correction processing. The privacy amplifier generates an encryption key by performing privacy amplification processing that compresses the corrected bit string. The estimator estimates an encryption-key generation rate based on an output value and a given value at execution phases of respective pieces of processing of the photon sharing processing, the shifting processing, the error correction processing, and the privacy amplification processing.

CROSS-REFERENCE TO RELATED APPLICATION

This application is based upon and claims the benefit of priority fromJapanese Patent Application No. 2015-055322, filed on Mar. 18, 2015; theentire contents of which are incorporated herein by reference.

FIELD

An embodiment described herein relates generally to a quantum-keydistribution apparatus, a quantum-key distribution method, and acomputer program product.

BACKGROUND

A quantum-key distribution system includes a transmitter, a receiver,and an optical fiber link that connects the foregoing. The transmittertransmits a stream of single photons to the receiver via the opticalfiber link (a quantum communication channel) that is a communicationchannel of an optical fiber. Thereafter, the transmitter and thereceiver exchange control information with each other, and thereby thetransmitter and the receiver share an encryption key between them. Thistechnology is implemented by a technology generally referred to asquantum key distribution (QKD).

To share the encryption key between the transmitter and the receiver bythe quantum key distribution, there is the need to perform keydistillation processing on each of the transmitter and the receiver. Thekey distillation processing is composed of shifting processing, errorcorrection processing, and privacy amplification processing. By this keydistillation processing, the transmitter and the receiver share theencryption key. The shared encryption key is used, as a key of one-timepad, when encrypted data communication is performed between thetransmitter and the receiver or between applications coupled to therespective apparatuses. In the encrypted data communication by theencryption key of a one-time pad, by information theory, it has beenassured that no eavesdropper having any knowledge can decipher it.

In the quantum key distribution, the photon used to share the encryptionkey has the uncertainty principle that is one of the fundamentalprinciples in quantum mechanics in which the physical state thereofchanges by being observed. By this principle, when an eavesdropperobserved, on a quantum communication channel, photons includinginformation on an encryption key transmitted by the transmitter, thephysical state of the photons is changed and thereby the receiver thatreceived the photons can tell that the photons have been observed by theeavesdropper. At that time, the change in the physical state of thephotons appears as a quantum bit error rate (QBER) of the link (quantumcommunication channel) between the transmitter and the receiver. When aneavesdropper attempts to observe photons, the receiver and thetransmitter can tell the presence of the eavesdropper because thephysical state of the photons is changed and the QBER is increased.

The generation amount of encryption keys shared per unit time isreferred to as a secure key rate (an encryption-key generation rate). Asthe number of encryption keys being available increases, encrypted datacommunication becomes faster and safer, and thus a higher secure keyrate can implement a high-performance quantum-key distribution system.In a quantum-key distribution system, at the time of starting up theapparatus or as part of maintenance work at the time of recovering froma fault and the like, there is the need to set adjustment items inrespective pieces of processing, in encryption-key generation operationof the transmitter and the receiver, to improve the secure key rate. Assuch a quantum-key distribution system, there is one that makesadjustments in the operation, out of the encryption-key generationoperation, of transmitting photons to a receiver from a transmitter viaa quantum communication channel.

As for the information necessary to calculate the secure key rate,however, the accurate value thereof is not known until the entireprocessing in the encryption-key generation operation is completed. At aphase in the middle of the encryption-key generation operation, it isnot easy to instantaneously determine what effect the current settingshave on the secure key rate that is finally obtained. In theabove-described system, although the adjustments in the operation oftransmitting photons are made, it is not sufficient to improve thesecure key rate because it does not set the adjustment items in otherprocessing of the encryption-key generation operation. It is thereforenecessary to determine what adjustment items ought to be changed bytrial and error and by reference to the experience of past adjustmentwork, and thus the maintenance work takes time and the cost for systemmaintenance increases.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating one example of the configurationof a quantum-key distribution system;

FIG. 2 is a block diagram illustrating one example of the hardwareconfiguration of a QKD apparatus;

FIG. 3 is a block diagram illustrating one example of the configurationof functional blocks of the QKD apparatus;

FIG. 4 is a sequence diagram illustrating one example of encryption-keygeneration operation of the QKD apparatus;

FIG. 5 is a table illustrating information for obtaining estimatedvalues in respective pieces of processing;

FIG. 6 is a graphic chart illustrating a binary entropy function;

FIG. 7 is a block diagram illustrating one example of the configurationof functional blocks of a QKD apparatus according to a firstmodification;

FIG. 8 is a diagram illustrating a display example of an estimatedvalue;

FIG. 9 is a diagram illustrating a display example of the estimatedvalue by a bar chart;

FIG. 10 is a graphic chart illustrating a display example of theestimated value by a time-series chart;

FIG. 11 is a graphic chart illustrating a display example of theestimated value by a time-series chart; and

FIG. 12 is a block diagram illustrating one example of the configurationof functional blocks of a QKD apparatus according to a secondmodification.

DETAILED DESCRIPTION

According to an embodiment, a quantum-key distribution apparatusincludes a quantum-key sharer, a shifter, a corrector, a privacyamplifier, and an estimator. The quantum-key sharer is configured toperform photon sharing processing in which a stream of photons is sharedwith another quantum-key distribution apparatus by quantum keydistribution via a quantum communication channel for photons and toacquire a photon bit string corresponding to the stream of photons basedon generated basis information. The shifter is configured to generate ashared bit string from the photon bit string by performing shiftingprocessing based on the basis information on the quantum-key sharer andon the another quantum-key distribution apparatus. The corrector isconfigured to generate a corrected bit string by correcting errorsincluded in the shared bit string by performing error correctionprocessing. The privacy amplifier is configured to generate encryptionkeys by performing privacy amplification processing in which thecorrected bit string is compressed based on the number of errors. Theestimator is configured to estimate, at execution phases of respectivepieces of processing of the photon sharing processing, the shiftingprocessing, the error correction processing, and the privacyamplification processing, an encryption-key generation rate indicativeof a generation amount of the encryption keys per unit time based on anoutput value output in processing that has been performed out of therespective pieces of processing and a given value corresponding to anoutput value of processing not yet performed out of the respectivepieces of processing.

With reference to the accompanying drawings, the following describes indetail a quantum-key distribution apparatus, a quantum-key distributionmethod, and a computer program according to an exemplary embodiment. Inthe description of the drawings, the same portions are given the samereference signs. The drawings, however, are schematic, and thus thespecific configuration should be determined in consideration of thefollowing descriptions.

EMBODIMENT

FIG. 1 is a block diagram illustrating one example of the configurationof a quantum-key distribution system according to an embodiment. Withreference to FIG. 1, the configuration of a quantum-key distributionsystem 100 will be described.

As illustrated in FIG. 1, the quantum-key distribution system 100includes a transmitter 1, a receiver 2, and an optical fiber link 3. Inthe following description, as illustrated in FIG. 1, the quantum-keydistribution system 100 that is composed of one each of the transmitter1 and the receiver 2 will be explained. However, with the singlereceiver 2, what is called a quantum access network (QAN) in which aplurality of transmitters 1 are connected thereto via an optical devicemay be integrated with the quantum-key distribution system. It may be aquantum-key distribution system in which the receiver 2 having aplurality of interfaces for optical fiber communication and a pluralityof transmitters 1 are connected via those interfaces. In the foregoingsystems, the transmitter 1 and the receiver 2 may be converselyconfigured.

The transmitter 1 is an apparatus that transmits a stream of photonscomposed of single photons that are generated by a laser and are thebasis of encryption key generation to the receiver 2 via the opticalfiber link 3. The transmitter 1 performs later-described keydistillation processing (shifting processing, error correctionprocessing, and privacy amplification processing) on the basis of thetransmitted stream of photons and generates encryption keys. Thetransmitter 1 further performs data communication with the receiver 2via a classical communication channel implemented by a communicationcable such as an Ethernet (registered trademark) cable other than thequantum communication channel implemented by the optical fiber link 3.The data communicated via the classical communication channel may becontrol data necessary for the above-described key distillationprocessing or may be general data other than the control data.

The receiver 2 is an apparatus that receives the stream of photonscomposed of single photons that are the basis of encryption keygeneration from the transmitter 1 via the optical fiber link 3. Thereceiver 2 performs the later-described key distillation processing(shifting processing, error correction processing, and privacyamplification processing) on the basis of the received stream of photonsand generates the encryption keys identical to those generated by thetransmitter 1. That is, the transmitter 1 and the receiver 2 are togenerate and share the identical encryption keys. The receiver 2 furtherperforms the data communication with the transmitter 1 via the classicalcommunication channel implemented by the communication cable such as anEthernet cable other than the quantum communication channel implementedby the optical fiber link 3.

The optical fiber link 3 is an optical fiber cable that functions as aquantum communication channel that is to be a transmission channel forsingle photons output by the transmitter 1. Although not depicted inFIG. 1, the transmitter 1 and the receiver 2 are connected via acommunication cable (classical communication channel) that performscommunication with normal digital data of “0” and “1” in addition to theoptical fiber link 3. The classical communication channel does not needto be wired and it may be wireless.

While it has been described that the optical fiber link 3 functions asthe quantum communication channel and the communication cable notdepicted such as an Ethernet cable functions as the classicalcommunication channel, it is not limited to this. For example, theoptical fiber link 3 may be configured to serve, by a wavelengthdivision multiplex (WDM) technology, as a photon communication channelto transmit and receive photons, and an optical data communicationchannel to perform optical data communication. That is, in this case,the photon communication channel of the optical fiber link 3 functionsas the quantum communication channel and the optical data communicationchannel functions as the classical communication channel.

By the quantum-key distribution system 100 including such a transmitter1 and a receiver 2, when an eavesdropper observes a stream of photonstransmitted by the transmitter 1 on the optical fiber link 3, thephysical state of the photons is changed and the receiver 2 thatreceives the photons can recognize that the photons have been observedby the eavesdropper.

The transmitter 1 and the receiver 2 are generically referred to as“quantum-key distribution apparatus (QKD apparatus).”

FIG. 2 is a block diagram illustrating one example of the hardwareconfiguration of the QKD apparatus in the embodiment. With reference toFIG. 2, the hardware configuration of the QKD apparatus (the transmitter1, the receiver 2) will be described.

As illustrated in FIG. 2, the QKD apparatus includes a centralprocessing unit (CPU) 80, a read only memory (ROM) 81, a random accessmemory (RAM) 82, an input device 83, a display device 84, acommunication interface (I/F) 85, an auxiliary storage device 86, anoptical processing device 87, and a speaker 88.

The CPU 80 is an arithmetic device that controls the operation of awhole of the QKD apparatus. The ROM 81 is a non-volatile storage devicethat stores therein computer programs the CPU 80 executes to controlrespective functions. The RAM 82 is a volatile storage device thatfunctions as a work memory of the CPU 80.

The input device 83 is a device such as a mouse and a keyboard withwhich the selection of characters, numerals, and various instructions ismade and the setting of setting information is performed.

The display device 84 is a display device that displays cursors, menus,windows, and a variety of information such as characters or images. Thedisplay 84 is a cathode ray tube (CRT) display, a liquid crystaldisplay, a plasma display, or an organic electroluminescence (EL)display, for example. The display device 84 is connected to the body ofthe QKD apparatus via a VGA cable or a high-definition multimediainterface (HDMI (registered trademark)) cable, for example.

The communication I/F 85 is an interface to perform data communicationvia a classical communication channel such as a network like a localarea network (LAN), or a wireless network. The communication I/F 85 isan interface that supports Ethernet (registered trademark) such as 10Base-T, 100 Base-TX, or 1000 Base-T, for example.

The auxiliary storage device 86 is a non-volatile storage device thatstores and accumulates therein various computer programs executed by theCPU 80, data generated in the process of encryption-key generationoperation, and others. The auxiliary storage device 86 is a storagedevice, such as a hard disk drive (HDD), a solid state drive (SSD), aflash memory, an optical disk, or others, capable of storingelectrically, magnetically, or optically computer programs and data.

The optical processing device 87 is an optical device that transmits orreceives a stream of photons via a quantum communication channel. Theoptical processing device 87 of the transmitter 1 transmits a stream ofphotons composed of single photons, which are generated to be in apolarizing state based on basis information that is generated byrandomly selected bases with respect to a bit string (a photon bitstring) that is bit information generated by random numbers, to theoptical processing device 87 of the receiver 2 via a quantumcommunication channel (the optical fiber link 3 depicted in FIG. 1), forexample. That is, each photon of the stream of photons generated by theoptical processing device 87 of the transmitter 1 has one bitinformation of “0” or “1.” While the stream of photons has beendescribed to be composed of single photons that are generated to be in apolarizing state based on the basis information, it is not limited tothis, and it may be composed of single photons that are generated so asto be in a phase state based on the basis information. The opticalprocessing device 87 of the receiver 2 acquires the photon bit stringthat is the bit information by receiving the stream of photons from theoptical processing device 87 of the transmitter 1 via the quantumcommunication channel, and reading the received stream of photons basedon basis information generated by randomly selected bases.

The speaker 88 is a device that outputs sound in accordance with theinstructions of the CPU 80.

The foregoing CPU 80, the ROM 81, the RAM 82, the input device 83, thedisplay device 84, the communication I/F 85, the auxiliary storagedevice 86, the optical processing device 87, and the speaker 88 areconnected via a bus 89 such as an address bus and a data bus so as to beable to communicate with one another.

The respective devices of the QKD apparatus illustrated in FIG. 2 areone example, and not all devices need to be included. For example, ifthere is no need to display information, the display device 84 does notnecessarily need to be included, and if there is no need to outputsound, the speaker 88 does not necessarily need to be included.

FIG. 3 is a block diagram illustrating one example of the configurationof functional blocks of the QKD apparatus in the embodiment. Withreference to FIG. 3, the configuration of functional blocks of the QKDapparatus (the transmitter 1, the receiver 2) will be described.

As illustrated in FIG. 3, the transmitter 1 includes a photontransmitter 10 (which may be referred to as a quantum-key sharer), ashifting processor 11 (which may be referred to as a shifter), an errorcorrection processor 12 (which may be referred to as a corrector), aprivacy amplification processor 13 (which may be referred to as aprivacy amplifier), a controller 14, an estimator 15, an input unit 16,and a storage 17.

The photon transmitter 10 is a functional unit that shares a stream ofphotons with the photon receiver 20 by transmitting the stream ofphotons composed of single photons, which are generated to be in apolarizing state based on basis information generated by randomlyselected bases with respect to a photon bit string that is bitinformation generated by random numbers, to a photon receiver 20 of thereceiver 2 via a quantum communication channel, for example. The photontransmitter 10 is implemented by the optical processing device 87illustrated in FIG. 2.

The shifting processor 11 is a functional unit that performs shiftingprocessing that generates a shared bit string by receiving basisinformation generated by the photon receiver 20 of the receiver 2 from ashifting processor 21 of the receiver 2 via a classical communicationchannel, comparing the received basis information with basis informationgenerated by the photon transmitter 10, and extracting bitscorresponding to a matched portion from the photon bit string. Theshifting processor 11 further calculates a sample QBER (one example of atentative error rate) that is a tentative QBER to estimate what thevalue of QBER would be like, by using the bit information on a part ofthe shared bit string. The described shifting processing is one example,and other methods may be employed.

The error correction processor 12 is a functional unit that performserror correction processing that generates a corrected bit string byexchanging control data (error correction (EC) information) with anerror correction processor 22 of the receiver 2 via the classicalcommunication channel and correcting bit errors of the shared bitstring. When the error correction processing is successful, thecorrected bit string generated by the error correction processor 12agrees with a corrected bit string generated by correcting the sharedbit string by the error correction processor 22 of the receiver 2 whichwill be described later. Because the corrected bit string is the bitstring in which bit errors of the shared bit string have been corrected,the shared bit string and the corrected bit string are identical inlength.

The error correction processor 12 further calculates the QBER based onthe number of error bits corrected in the error correction processingthat generates the corrected bit string, and the number of bits in thecorrected bit string. Furthermore, the error correction processor 12calculates, to correct bit errors of the shared bit string and togenerate the corrected bit string as in the foregoing, an informationleakage amount that is the amount of leaked bit information based on theamount of information on the EC information exchanged with the errorcorrection processor 22. It is indicated that as the number of leakedbits becomes larger, the probability of being eavesdropped becomeshigher and the amount of eavesdropped information becomes more probablylarger.

The privacy amplification processor 13 is a functional unit thatgenerates encryption keys by receiving control data (privacyamplification (PA) information) from a later-described privacyamplification processor 23 of the receiver 2 via the classicalcommunication channel, and performing, based on the PA information, keycompression processing (privacy amplification processing) to negate bitshaving a probability of being eavesdropped by an eavesdropper on thecorrected bit string from the number of errors corrected by the errorcorrection processor 12 at the time of performing the processing in thephoton transmitter 10 and the error correction processor 12. When theprivacy amplification processing is successful, the encryption keysgenerated by the privacy amplification processor 13 are to agree withencryption keys generated by the privacy amplification processor 23 ofthe receiver 2, and thus the identical encryption keys are to be shared.These shared encryption keys are used when encrypted data communicationis performed between the transmitter 1 and the receiver 2 or betweenapplications coupled to the respective apparatuses.

The controller 14 is a functional unit that controls the operation ofthe above-described photon transmitter 10, the shifting processor 11,the error correction processor 12, and the privacy amplificationprocessor 13. Furthermore, the controller 14 acquires measurement values(output values) that are obtained in the respective pieces of processingof the photon transmitter 10, the shifting processor 11, the errorcorrection processor 12, and the privacy amplification processor 13 andtransmits them to the estimator 15. The controller 14 stores in advanceinitial values of operating input from the input unit 16 into thestorage 17. The initial values are initial values (examples of givenvalues) corresponding to the measurement values obtained in therespective pieces of processing performed in the photon transmitter 10,the shifting processor 11, the error correction processor 12, and theprivacy amplification processor 13. As for the initial values, they onlyneed to be the values defined based on the measurement values of therespective pieces of processing performed in the past, or the valuesexpected from the characteristics, installation environments, methods ofQKD, and others of the transmitter 1 and the receiver 2, for example.The measurement value output in the sharing processing performed on astream of photons (hereinafter, referred to as “photon sharingprocessing”) in the photon transmitter 10 is the number of photons inthe stream of photons (hereinafter, simply referred to as “the number ofphotons”). The measurement value output in the shifting processing ofthe shifting processor 11 is the above-described sample QBER. Themeasurement values output in the error correction processing of theerror correction processor 12 are the above-described QBER and theinformation leakage amount. The measurement value output in the privateamplification processing of the privacy amplification processor 13 isthe processing time it takes until a single encryption key is generated,that is, the processing time necessary from the photon sharingprocessing to finish the privacy amplification processing.

The estimator 15 is a functional unit that performs estimation operationof a secure key rate. Specifically, the estimator 15 estimates a securekey rate, at the respective timing of the start-up, the photon sharingprocessing, the shifting processing, the error correction processing,and the privacy amplification processing of the transmitter 1, by usingthe measurement values that can be acquired and the initial valuescorresponding to the measurement values that cannot be acquired. At thistime, the estimator 15 acquires the initial values used to estimate thesecure key rate from the storage 17 in which the initial values arestored in advance. The detail of the estimation operation performed bythe estimator 15 will be described later with reference to FIG. 5.

The input unit 16 is a functional unit that receives operating input ofinitial values and others. The input unit 16 is implemented by the inputdevice 83 illustrated in FIG. 2.

The storage 17 is a functional unit that stores therein the initialvalues of operating input from the input unit 16. The storage 17 isimplemented by the auxiliary storage device 86 illustrated in FIG. 2.

The foregoing shifting processor 11, the error correction processor 12,the privacy amplification processor 13, the controller 14, and theestimator 15 are implemented by the CPU 80 illustrated in FIG. 2 readingout and executing a computer program stored in the auxiliary storagedevice 86 and others onto the RAM 82. It is not limited that all of theshifting processor 11, the error correction processor 12, the privacyamplification processor 13, the controller 14, and the estimator 15 areto be implemented by the execution of the computer program. At least anyone of the foregoing may be implemented by a hardware circuit such as anapplication specific integrated circuit (ASIC), a field-programmablegate array (FPGA), or other integrated circuits, for example.

The photon transmitter 10, the shifting processor 11, the errorcorrection processor 12, the privacy amplification processor 13, thecontroller 14, the estimator 15, the input unit 16, and the storage 17illustrated in FIG. 3 conceptually illustrate the functionality thereof,and are not limited to such a configuration. For example, a plurality offunctional units illustrated as independent functional units in FIG. 3may be configured as a single functional unit. Meanwhile, the functionof a single functional unit in FIG. 3 may be divided into a plurality offunctions and configured as a plurality of functional units.

As illustrated in FIG. 3, the receiver 2 includes the photon receiver 20(may be referred to as a quantum-key sharer), the shifting processor 21(may be referred to as a shifter), the error correction processor 22(may be referred to as a corrector), the privacy amplification processor23 (may be referred to as a privacy amplifier), a controller 24, anestimator 25, an input unit 26, and a storage 27.

The photon receiver 20 is a functional unit that acquires a photon bitstring that is the bit information by receiving a stream of photons fromthe photon transmitter 10 of the transmitter 1 via the quantumcommunication channel, sharing the stream of photons with the photontransmitter 10, and reading the received stream of photons based onbasis information generated by randomly selected bases. The photonreceiver 20 is implemented by the optical processing device 87illustrated in FIG. 2.

The shifting processor 21 is a functional unit that performs theshifting processing that generates a shared bit string by receivingbasis information generated by the photon transmitter 10 of thetransmitter 1 from the shifting processor 11 of the transmitter 1 via aclassical communication channel, comparing the received basisinformation with basis information generated by the photon receiver 20,and extracting bits corresponding to a matched portion from the photonbit string. The shifting processor 21 further calculates a sample QBERthat is a tentative QBER to estimate what the value of QBER would belike, by using the bit information on a part of the shared bit string.The described shifting processing is one example, and other methods maybe employed.

The error correction processor 22 is a functional unit that performs theerror correction processing that generates a corrected bit string byexchanging control data (EC information) with the error correctionprocessor 12 of the transmitter 1 via the classical communicationchannel and correcting bit errors of the shared bit string. When theerror correction processing is successful, the corrected bit stringgenerated by the error correction processor 22 agrees with the correctedbit string that is generated by correcting the shared bit string by theerror correction processor 12 of the transmitter 1. Because thecorrected bit string is the bit string in which bit errors of the sharedbit string have been corrected, the shared bit string and the correctedbit string are identical in length.

The error correction processor 22 further calculates the QBER based onthe number of error bits corrected in the error correction processingthat generates the corrected bit string, and the number of bits in thecorrected bit string. Furthermore, the error correction processor 22calculates, in order to correct bit errors of the shared bit string andgenerate the corrected bit string as in the foregoing, an informationleakage amount that is the amount of leaked bit information based on theamount of information of the EC information exchanged with the errorcorrection processor 12. It is indicated that as the number of leakedbits becomes larger, the probability of being eavesdropped becomeshigher and the amount of eavesdropped information becomes more probablylarger.

The privacy amplification processor 23 is a functional unit thatgenerates encryption keys by generating control data (PA information)and transmitting it to the privacy amplification processor 13 of thetransmitter 1 via the classical communication channel, and performing,based on the PA information, key compression processing (privacyamplification processing) to negate bits having a probability of beingeavesdropped by an eavesdropper on the corrected bit string from thenumber of errors corrected by the error correction processor 22 at thetime of performing the processing in the photon receiver 20 and theerror correction processor 22. When the privacy amplification processingis successful, the encryption keys generated by the privacyamplification processor 23 are to agree with the encryption keysgenerated by the privacy amplification processor 13 of the transmitter1, and thus the identical encryption keys are to be shared. These sharedencryption keys are used when encrypted data communication is performedbetween the transmitter 1 and the receiver 2 or between applicationscoupled to the respective apparatuses.

The controller 24 is a functional unit that controls the operation ofthe above-described photon receiver 20, the shifting processor 21, theerror correction processor 22, and the privacy amplification processor23. Furthermore, the controller 24 acquires measurement values that areobtained in the respective pieces of processing of the photon receiver20, the shifting processor 21, the error correction processor 22, andthe privacy amplification processor 23 and transmits them to theestimator 25. The controller 24 stores in advance the initial values ofoperating input from the input unit 26 into the storage 27. As for theinitial values and the measurement values, the content of the foregoingexplanation of the controller 14 is applied.

The estimator 25 is a functional unit that performs the estimationoperation of a secure key rate. Specifically, the estimator 25 estimatesa secure key rate, at the respective timing of the start-up, the photonsharing processing, the shifting processing, the error correctionprocessing, and the privacy amplification processing of the receiver 2,by using the measurement values that can be acquired and the initialvalues corresponding to the measurement values that cannot be acquired.At this time, the estimator 25 acquires the initial values used toestimate the secure key rate from the storage 27 in which they arestored in advance. The detail of the estimation operation performed bythe estimator 25 will be described later with reference to FIG. 5.

The input unit 26 is a functional unit that receives operating input ofinitial values and others. The input unit 26 is implemented by the inputdevice 83 illustrated in FIG. 2.

The storage 27 is a functional unit that stores therein the initialvalues of operating input from the input unit 26. The storage 27 isimplemented by the auxiliary storage device 86 illustrated in FIG. 2.

The foregoing shifting processor 21, the error correction processor 22,the privacy amplification processor 23, the controller 24, and theestimator 25 are implemented by the CPU 80 illustrated in FIG. 2 readingout and executing the computer program stored in the auxiliary storagedevice 86 and others onto the RAM 82. It is not limited that all of theshifting processor 21, the error correction processor 22, the privacyamplification processor 23, the controller 24, and the estimator 25 areimplemented by the execution of the computer program. At least any ofthe foregoing may be implemented by a hardware circuit such as anapplication specific integrated circuit (ASIC), a field-programmablegate array (FPGA), or other integrated circuits, for example.

The photon receiver 20, the shifting processor 21, the error correctionprocessor 22, the privacy amplification processor 23, the controller 24,the estimator 25, the input unit 26, and the storage 27 illustrated inFIG. 3 are conceptually illustrating the functionality thereof, and arenot limited to such a configuration. For example, a plurality offunctional units illustrated as independent functional units in FIG. 3may be configured as a single functional unit. Meanwhile, the functionof a single functional unit in FIG. 3 may be divided into a plurality offunctions and configured as a plurality of functional units.

FIG. 4 is a sequence diagram illustrating one example of encryption-keygeneration operation of the QKD apparatus in the embodiment. Withreference to FIG. 4, the sequence of the encryption-key generationoperation will be described.

Step S11

The photon transmitter 10 transmits a stream of photons composed ofsingle photons, which are generated to be in a polarizing state based onbasis information generated by randomly selected bases with respect to aphoton bit string that is the bit information generated by randomnumbers, to the photon receiver 20 of the receiver 2 via a quantumcommunication channel, and shares the stream of photons with the photonreceiver 20, for example. The photon transmitter 10 transmits thegenerated basis information and the photon bit string to the shiftingprocessor 11. The photon transmitter 10 may be configured to store thegenerated basis information and the photon bit string into the storage17.

Step S12

The photon receiver 20 acquires the photon bit string that is the bitinformation by receiving the stream of photons from the photontransmitter 10 of the transmitter 1 via the quantum communicationchannel, sharing the stream of photons with the photon transmitter 10,and reading the received stream of photons based on the basisinformation generated by the randomly selected bases. The photonreceiver 20 transmits the generated basis information and the photon bitstring to the shifting processor 21. The photon receiver 20 may beconfigured to store the generated basis information and the photon bitstring into the storage 27.

Step S13

The shifting processor 11 performs the shifting processing thatgenerates a shared bit string by receiving the basis informationgenerated by the photon receiver 20 of the receiver 2 from the shiftingprocessor 21 of the receiver 2 via the classical communication channel,comparing the received basis information with the basis informationgenerated by the photon transmitter 10, and extracting bitscorresponding to a matched portion from the photon bit string. Theshifting processor 11 transmits the generated shared bit string to theerror correction processor 12. The shifting processor 11 may beconfigured to store the generated shared bit string into the storage 17.

Step S14

The shifting processor 21 performs the shifting processing thatgenerates a shared bit string by receiving the basis informationgenerated by the photon transmitter 10 of the transmitter 1 from theshifting processor 11 of the transmitter 1 via the classicalcommunication channel, comparing the received basis information with thebasis information generated by the photon receiver 20, and extractingbits corresponding to a matched portion from the photon bit string. Theshifting processor 21 transmits the generated shared bit string to theerror correction processor 22. The shifting processor 21 may beconfigured to store the generated shared bit string into the storage 27.

Step S15

The error correction processor 12 performs the error correctionprocessing that generates a corrected bit string by exchanging controldata (EC information) with the error correction processor 22 of thereceiver 2 via the classical communication channel and correcting biterrors of the shared bit string generated by the shifting processor 11.The error correction processor 12 transmits the generated corrected bitstring to the privacy amplification processor 13. The error correctionprocessor 12 may be configured to store the generated corrected bitstring into the storage 17.

Step S16

The error correction processor 22 performs the error correctionprocessing that generates a corrected bit string by exchanging controldata (EC information) with the error correction processor 12 of thetransmitter 1 via the classical communication channel and correcting biterrors of the shared bit string generated by the shifting processor 21.The error correction processor 22 transmits the generated corrected bitstring to the privacy amplification processor 23. The error correctionprocessor 22 may be configured to store the generated corrected bitstring into the storage 27.

Step S17

The privacy amplification processor 13 generates an encryption key byreceiving control data (PA information) from the privacy amplificationprocessor 23 of the receiver 2 via the classical communication channeland performing, based on the PA information, the key compressionprocessing (privacy amplification processing) to negate bits having aprobability of being eavesdropped by an eavesdropper on the correctedbit string, which has been generated by the error correction processor12, from the number of errors corrected by the error correctionprocessor 12 at the time of performing the processing in the photontransmitter 10 and the error correction processor 12. The privacyamplification processor 13 stores (accumulates) the generated encryptionkey into the storage 17.

Step S18

The privacy amplification processor 23 generates an encryption key bygenerating control data (PA information) and transmitting it to theprivacy amplification processor 13 of the transmitter 1 via theclassical communication channel and performing, based on the PAinformation, the key compression processing (privacy amplificationprocessing) to negate bits having a probability of being eavesdropped byan eavesdropper on the corrected bit string, which has been generated bythe error correction processor 22, from the number of errors correctedby the error correction processor 22 at the time of performing theprocessing in the photon receiver 20 and the error correction processor22. The privacy amplification processor 23 stores (accumulates) thegenerated encryption key into the storage 27.

By the above-described operation, in the transmitter 1 and the receiver2, the identical encryption keys are generated. Because the encryptionkey generated by the foregoing operation is what is called a one-timepad, different encryption keys are repeatedly generated by the foregoingoperation. The foregoing operation is not limited to the generation ofencryption keys by a one-time pad method, and it may be applied to thegeneration of encryption keys by other methods, for example, a commonkey encryption method typified by the advanced encryption standard(AES).

While the functional units in FIG. 3 each transmit the generated bitstring thereof to the functional unit of the subsequent processdirectly, they may be configured to go through the storage 17 or thestorage 27. For example, in the foregoing, the shifting processor 11 isto transmit the generated shared bit string to the error correctionprocessor 12 directly. Alternatively, the shifting processor 11 may beconfigured to store the shared bit string into the storage 17, and theerror correction processor 12 may be configured to read out the sharedbit string from the storage 17 and perform the error correctionprocessing.

FIG. 5 is a table illustrating information for obtaining estimatedvalues in the respective pieces of processing. FIG. 6 is a graphic chartillustrating a binary entropy function. With reference to FIGS. 5 and 6,the estimation operation of a secure key rate and the operation ofadjustments in the respective pieces of processing in encryption-keygeneration operation will be described.

As illustrated in FIG. 5, the encryption-key generation operation isperformed in the order of (1) apparatus start-up, (2) photon sharingprocessing, (3) shifting processing, (4) error correction processing,and (5) privacy amplification processing. The outlines of the operationof the respective pieces of processing (2) to (5) are as discussed abovewith reference to FIG. 4.

The lengths of the encryption keys generated by the privacyamplification processors 13 and 23 can be calculated based on the numberof photons in the stream of photons shared by the photon sharingprocessing of the photon transmitter 10 and photon receiver 20 and onthe QBER and the information leakage amount calculated by the errorcorrection processing of the error correction processors 12 and 22. Thelength R_(secure) of an encryption key for which the safety inencryption communication is proven by information theory is expressed bythe following Expression 1:R _(secure)=½Q{1−(1+f _(EC)(E))*H ₂(E)}  (1)

R_(secure): Length of encryption key

E: QBER (Error rate in quantum communication channel)

Q: Number of shared photons

½. Remaining ratio by shifting processing out of number of sharedphotons

f_(EC)(E): EC efficiency

H₂(E): Binary entropy function

The EC efficiency f_(EC) in Expression 1 is a ratio of how much amountof information is leaked to an eavesdropper due to performing errorcorrection on a given bit string and is a value dependent on the QBERand the information leakage amount. The H₂(E) is a binary entropyfunction that is the function of an error rate E as illustrated in FIG.6. As just described, the length R_(secure) of the encryption key isobtainable by the number of shared photons, the QBER, and theinformation leakage amount, and thus, where R_(secure)=f (the number ofshared photons, QBER, information leakage amount), by using thisfunction f and the processing time that is obtained when the privacyamplification processing of the privacy amplification processors 13 and23 is finished, the secure key rate can be obtained by the followingExpression 2:(Secure key rate)=f(the number of shared photons, QBER, informationleakage amount)/(processing time)  (2)

As for this secure key rate, as expressed in the foregoing Expression 1and Expression 2, an accurate value is not obtainable unless the numberof shared photons, the QBER, the information leakage amount, and theprocessing time have been measured. The number of shared photons, theQBER, the information leakage amount, and the processing time are allpresented as measurement values when the privacy amplificationprocessing of the privacy amplification processors 13 and 23, which isthe phase (5) in the foregoing, is finished. To improve the secure keyrate, if an expected secure key rate is obtained at the foregoing phases(1) to (4), the adjustment operation of the photon sharing processing,the shifting processing, and the error correction processing is easy. Atthe phase (5), an accurate secure key rate is obtained, and thus theadjustment operation of the privacy amplification processing is easy.With reference to FIG. 5, the following describes the estimationoperation of a secure key rate performed by the estimators 15 and 25 atthe respective phases (1) to (5) in the foregoing. While the estimator15 is exemplified here, the estimator 25 operates in the same manner.

At the time of (1) apparatus start-up in FIG. 5, none of the number ofshared photons, the QBER, the information leakage amount, and theprocessing time are measured, and thus the estimator 15 acquires theinitial values of the number of shared photons, the QBER, theinformation leakage amount, and the processing time that are stored inthe storage 17. The estimator 15 then, by using the initial values ofthe number of shared photons, the QBER, the information leakage amount,and the processing time as illustrated in FIG. 5, calculates anestimated value of secure key rate by Expression 1 and Expression 2. Theestimated value of secure key rate calculated here by the estimator 15is calculated by using initial values on all of the number of sharedphotons, the QBER, the information leakage amount, and the processingtime, and thus the value is referred to as an initial value of securekey rate. As in the foregoing, the initial values of the number ofshared photons, the QBER, the information leakage amount, and theprocessing time are defined as the values calculated based on themeasurement values of the respective pieces of processing in the past,and thus the initial value of secure key rate can be considered to be anideal value of secure key rate that is expected from the characteristicsof the QKD apparatus (the transmitter 1, here), the installationenvironment of the QKD apparatus, the method of QKD, and others. Theestimator 15 stores the calculated initial value of secure key rate intothe storage 17. As the ideal value of secure key rate, an estimatedvalue of secure key rate when the values expected from the apparatuscharacteristics and others are set as the respective initial values ofthe number of shared photons, the QBER, the information leakage amount,and the processing time, that is, the value of secure key rate expectedfrom the apparatus characteristics and others, may be employed. As theideal value of secure key rate, an estimated value of secure key ratewhen the optimal or preferable values out of the respective measurementvalues of the number of shared photons, the QBER, the informationleakage amount, and the processing time in the past are used, that is,the actual value of optimal or preferable secure key rate in the past,may be employed.

At the time of performing (2) photon sharing processing in FIG. 5, theQBER, the information leakage amount, and the processing time are notyet measured, and thus the estimator 15 acquires the respective initialvalues of the QBER, the information leakage amount, and the processingtime that are stored in the storage 17. The estimator 15 furtherreceives the measurement value of the number of shared photons that isoutput by the photon sharing processing of the photon transmitter 10 viathe controller 14. The estimator 15 then, by using the measurement valueof the number of shared photons and using the initial values of theQBER, the information leakage amount, and the processing time asillustrated in FIG. 5, calculates an estimated value of secure key rateby Expression 1 and Expression 2. The controller 14 further adjusts theoperation of the photon sharing processing performed by the photontransmitter 10 based on the difference between the initial value ofsecure key rate stored in the storage 17 and the estimated value ofsecure key rate calculated by the estimator 15. For example, thecontroller 14 makes adjustments so as to increase the number of sharedphotons by the photon sharing processing. That is, at the phase beforeperforming the shifting processing, that is, at the phase of havingperformed only the photon sharing processing, when a sufficient securekey rate has not been obtained from the estimated value of the estimator15, the controller 14 can expect an improvement effect in secure keyrate by making adjustments only in the operation of the photon sharingprocessing of the photon transmitter 10. The adjustments made by thecontroller 14 in the operation of the photon sharing processing may beperformed automatically based on the difference between the initialvalue of secure key rate and the estimated value of secure key rate, ormay be performed based on the operating input of an operator received bythe input unit 16. The operation of being adjusted based on theoperating input of the operator received by the input unit 16 will bedescribed in detail in a later-described first modification.

At the time of performing (3) shifting processing in FIG. 5, the QBER,the information leakage amount, and the processing time are not yetmeasured. However, the shifting processor 11 calculates, as in theforegoing, a sample QBER that is a tentative QBER by the shiftingprocessing. Consequently, the estimator 15 uses, as the QBER inExpression 1 and Expression 2, the sample QBER calculated by theshifting processor 11 as a measurement value of QBER. The estimator 15acquires the respective initial values of the information leakage amountand the processing time that are stored in the storage 17. The estimator15 further receives, via the controller 14, the measurement values ofthe number of shared photons output by the photon sharing processing ofthe photon transmitter 10, and the sample QBER output by the shiftingprocessing of the shifting processor 11. The estimator 15 then, by usingthe measurement values of the number of shared photons and the sampleQBER and using the initial values of the information leakage amount andthe processing time as illustrated in FIG. 5, calculates an estimatevalue of secure key rate by Expression 1 and Expression 2. Thecontroller 14 further adjusts the operation of the shifting processingperformed by the photon transmitter 10 based on the difference betweenthe initial value of secure key rate stored in the storage 17 and theestimated value of secure key rate calculated by the estimator 15. Thatis, at the phase of performing the photon sharing processing and theshifting processing, when a sufficient secure key rate has not beenobtained from the estimated value of the estimator 15, the controller 14can expect an improvement effect in secure key rate by makingadjustments only in the operation of the shifting processing of theshifting processor 11 because the adjustments in the photon sharingprocessing have already been finished. The adjustments made by thecontroller 14 in the operation of the shifting processing may beperformed automatically based on the difference between the initialvalue of secure key rate and the estimated value of secure key rate, ormay be performed based on the operating input of the operator receivedby the input unit 16. The operation of being adjusted based on theoperating input of the operator received by the input unit 16 will bedescribed in detail in the later-described first modification.

At the time of performing (4) error correction processing in FIG. 5,only the processing time is not yet measured, and thus the estimator 15acquires the initial value of the processing time stored in the storage17. The estimator 15 further receives, via the controller 14, themeasurement values of the number of shared photons output by the photonsharing processing of the photon transmitter 10 and the QBER and theinformation leakage amount output by the error correction processing ofthe error correction processor 12. The estimator 15 then, by using themeasurement values of the number of shared photons, the QBER, and theinformation leakage amount and using the initial value of the processingtime as illustrated in FIG. 5, calculates an estimate value of securekey rate by Expression 1 and Expression 2. For example, it is assumedthat the initial value of QBER stored in the storage 17 is 5% and theestimated value of secure key rate by the estimator 15 at the phase of(1) apparatus start-up is 100 kbps. At the subsequent execution phase ofthe error correction processing by the error correction processor 12,when the QBER is figured out at 6% by the error correction processor 12,the estimator 15 uses, instead of 5% that is the initial value of QBER,6% that is the calculated measurement value, so as to calculate anestimated value of secure key rate. From Expression 1 and Expression 2,the change in QBER from 5% to 6% has a reducing effect on the secure keyrate by 24%, and thus the secure key rate is estimated to be 76 kbps bythe estimator 15. In this example, the EC efficiency is assumed to be1.2 for simplicity.

The controller 14 further adjusts the operation of the error correctionprocessing performed by the photon transmitter 10 based on thedifference between the initial value of secure key rate stored in thestorage 17 and the estimated value of secure key rate calculated by theestimator 15. That is, at the phase of performing the photon sharingprocessing, the shifting processing, and the error correctionprocessing, when a sufficient secure key rate has not been obtained fromthe estimated value of the estimator 15, the controller 14 can expect animprovement effect in secure key rate by making adjustments only in theoperation of the error correction processing of the error correctionprocessor 12 because the adjustments in the photon sharing processingand the shifting processing have already been finished. For example, asa result of adjustments in the error correction processing by thecontroller 14, the QBER calculated in the error correction processing bythe error correction processor 12 can obtain, from the sample value of6%, a value of 4% that is accurate as the QBER. Based on this obtainedvalue, a more accurate value as the secure key rate can be obtained fromExpression 1 and Expression 2, and thus the secure key rate is estimatedto be 127 kbps by the estimator 15.

The adjustments made by the controller 14 in the operation of the errorcorrection processing may be performed automatically based on thedifference between the initial value of secure key rate and theestimated value of secure key rate, or may be performed based on theoperating input of the operator received by the input unit 16. Theoperation of being adjusted based on the operating input of the operatorreceived by the input unit 16 will be described in detail in thelater-described first modification.

At the time of performing (5) privacy amplification processing in FIG.5, the number of shared photons, the QBER, the information leakageamount, and the processing time have all been measured. Consequently,the estimator 15 receives, via the controller 14, the measurement valuesof the number of shared photons output by the photon sharing processingof the photon transmitter 10, the QBER and the information leakageamount output by the error correction processing of the error correctionprocessor 12, and the processing time output by the privacyamplification processing of the privacy amplification processor 13. Theestimator 15 then, as illustrated in FIG. 5, calculates an estimatedvalue of secure key rate by Expression 1 and Expression 2 by using themeasurement values of the number of shared photons, the QBER, theinformation leakage amount, and the processing time. As for theestimated value of secure key rate calculated by the estimator 15, ithas been calculated all by using the measurement values, and thus it isthe actual value of secure key rate. The controller 14 further adjuststhe operation of the privacy amplification processing performed by thephoton transmitter 10 based on the difference between the initial valueof secure key rate stored in the storage 17 and the estimated value ofsecure key rate calculated by the estimator 15. That is, at the phase ofperforming the photon sharing processing, the shifting processing, theerror correction processing, and the privacy amplification processing,when a sufficient secure key rate has not been obtained from theestimated value of the estimator 15, the controller 14 can expect animprovement effect in secure key rate by making adjustments only in theoperation of the privacy amplification processing of the errorcorrection processor 12 because the adjustments in the photon sharingprocessing, the shifting processing, and the error correction processinghave already been finished. The adjustments made by the controller 14 inthe operation of the privacy amplification processing may be performedautomatically based on the difference between the initial value ofsecure key rate and the estimated value of secure key rate, or may beperformed based on the operating input of the operator received by theinput unit 16. The operation of being adjusted based on the operatinginput of the operator received by the input unit 16 will be described indetail in the later-described first modification.

As in the foregoing, at the respective phases of the photon sharingprocessing, the shifting processing, the error correction processing,and the privacy amplification processing in the encryption-keygeneration operation, the secure key rate is estimated by using, out ofthe parameters for calculating the secure key rate, the measurementvalues for the parameters that have been measured and the initial valuesfor the parameters that have not been measured. Consequently, theestimated value of secure key rate can be recognized at the respectivephases in the encryption-key generation operation, and by adjusting theprocessing that is operating at the respective phases, the secure keyrate can be made closer to the ideal value, and thus the secure key ratecan be improved easily.

While the estimator 15 (25) is to receive the respective measurementvalues (the number of shared photons, the sample QBER, the QBER, theinformation leakage amount, and the processing time) in the photonsharing processing, the shifting processing, the error correctionprocessing, and the privacy amplification processing via the controller14 (24) as in the foregoing, it is not limited to this and it may beconfigured to receive them directly without the controller 14 (24)intervening.

Furthermore, the computational expression of the above-describedExpression 1 used for the estimation of secure key rate can be modifiedaccording to the method of QKD. For example, the photon transmitter 10and the photon receiver 20 are to select the basis at random. However,in the case of a method having a bias in the selection probability ofbasis, the number of bits discarded in the shifting processing ischanged, and thus it only needs to modify also the computationalexpression of Expression 1, for example. In this case, it only needs tomodify the coefficient “½” in Expression 1 corresponding to the bias inthe selection probability of bases.

While both the transmitter 1 and the receiver 2 are to include theestimator (the estimator 15, 25) as illustrated in FIG. 3 in theforegoing, they are not limited to this, and either the transmitter 1 orthe receiver 2 may be configured to include the estimator.

The estimation operation by the estimators 15 and 25 may be performedeach time a measurement value obtainable at the respective pieces ofprocessing is updated, or may be performed at a given time interval.

First Modification

A QKD apparatus according to the first modification will be describedwith a focus on the difference from the QKD apparatus (the transmitter 1and the receiver 2) in the above-described embodiment. The QKD apparatusin the first modification further includes a display, in addition to therespective functional units included in the QKD apparatus in theembodiment.

FIG. 7 is a block diagram illustrating one example of the configurationof functional blocks of the QKD apparatus in the first modification.With reference to FIG. 7, the configuration of functional blocks of theQKD apparatus (a transmitter 1 a, a receiver 2 a) in the firstmodification will be described.

As illustrated in FIG. 7, the transmitter 1 a includes the photontransmitter 10 (which may be referred to as a quantum-key sharer), theshifting processor 11 (which may be referred to as a shifter), the errorcorrection processor 12 (which may be referred to as a corrector), theprivacy amplification processor 13 (which may be referred to as aprivacy amplifier), the controller 14, the estimator 15, the input unit16, the storage 17, and a display 18.

The controller 14 is a functional unit that controls the operation ofthe above-described photon transmitter 10, the shifting processor 11,the error correction processor 12, and the privacy amplificationprocessor 13. Furthermore, the controller 14 acquires measurement valuesthat are obtained in the respective pieces of processing of the photontransmitter 10, the shifting processor 11, the error correctionprocessor 12, and the privacy amplification processor 13 and transmitsthem to the estimator 15. The controller 14 stores in advance initialvalues of operating input from the input unit 16 into the storage 17.The controller 14 performs, based on the operating input received by theinput unit 16, the operation of advancing the respective phases of (1)to (5) in the foregoing, and the adjustment operation of the respectivepieces of processing of the photon transmitter 10, the shiftingprocessor 11, the error correction processor 12, and the privacyamplification processor 13.

The input unit 16 is a functional unit that receives the operating inputof initial values, the operating input of advancing the respectivephases of (1) to (5) in the foregoing, and the operating input to causethe controller 14 to perform the adjustment operation of the respectivepieces of processing of the photon transmitter 10, the shiftingprocessor 11, the error correction processor 12, and the privacyamplification processor 13.

The display 18 is a device that displays information concerning theestimated value of secure key rate calculated by the estimator 15. Thedisplay 18 is implemented by the display device 84 illustrated in FIG.2.

As illustrated in FIG. 7, the receiver 2 a includes the photontransmitter 20 (which may be referred to as a quantum-key sharer), theshifting processor 21 (which may be referred to as a shifter), the errorcorrection processor 22 (which may be referred to as a corrector), theprivacy amplification processor 23 (which may be referred to as aprivacy amplifier), the controller 24, the estimator 25, the input unit26, the storage 27, and a display 28.

The controller 24 is a functional unit that controls the operation ofthe above-described photon receiver 20, the shifting processor 21, theerror correction processor 22, and the privacy amplification processor23. Furthermore, the controller 24 acquires measurement values that areobtained in the respective pieces of processing of the photon receiver20, the shifting processor 21, the error correction processor 22, andthe privacy amplification processor 23 and transmits them to theestimator 25. The controller 24 stores in advance the initial values ofoperating input from the input unit 26 into the storage 27. Thecontroller 24 performs, based on the operating input received by theinput unit 26, the operation of advancing the respective phases of (1)to (5) in the foregoing, and the adjustment operation of the respectivepieces of processing of the photon receiver 20, the shifting processor21, the error correction processor 22, and the privacy amplificationprocessor 23.

FIG. 8 is a diagram illustrating a display example of an estimatedvalue. FIG. 9 is a diagram illustrating a display example of theestimate value by a bar chart. FIG. 10 is a graphic chart illustrating adisplay example of the estimated value by a time-series chart. FIG. 11is a graphic chart illustrating a display example of the estimated valueby a time-series chart. With reference to FIGS. 8 to 11 and FIG. 5 inthe foregoing, the estimation operation of secure key rate, theoperation of displaying the information concerning the estimated value,and the operation of adjusting the respective pieces of processing inthe encryption-key generation operation will be described.

The operator who performs the operation to improve secure key ratestarts up the QKD apparatus (the transmitter 1 and the receiver 2). Theestimation operation of secure key rate by the estimator 15 at the timeof (1) apparatus start-up in FIG. 5 is as discussed above. Thecontroller 14 receives the estimated value of secure key rate from theestimator 15 and, as illustrated in FIG. 8, displays the receivedestimated value and the initial value of secure key rate on the display18, for example. However, the estimated value and the initial value ofsecure key rate here are of identical values. The operator thenperforms, on the input unit 16, the operating input of advancing to thephase of causing the photon transmitter 10 to perform the photon sharingprocessing that is the subsequent phase.

Upon receiving the operating information to cause the photon transmitter10 to perform the photon sharing processing from the input unit 16, thecontroller 14 causes the photon transmitter 10 to start the photonsharing processing. The estimation operation of secure key rate by theestimator 15 at the time of performing (2) photon sharing processing inFIG. 5 is as discussed above. The photon transmitter 10 stores(accumulates) the generated photon bit string into the storage 17. Theestimator 15 stores the calculated estimated value of secure key rateinto the storage 17. The estimator 15 stores the calculated estimatedvalue of secure key rate into the storage 17. The controller 14 receivesthe estimated value of secure key rate from the estimator 15 and, asillustrated in FIG. 8, displays the received estimated value and theinitial value of secure key rate on the display 18, for example. Theoperator checks the estimated value and the initial value of secure keyrate displayed on the display 18 and, when the operator determines thata sufficient secure key rate is not yet obtained at the phase ofperforming the photon sharing processing alone from the estimated valueof the estimator 15, performs input operation to adjust the photonsharing processing of the photon transmitter 10 on the input unit 16.The controller 14 adjusts, based on the operating input for adjustmentsreceived by the input unit 16, the operation of the photon sharingprocessing by the photon transmitter 10. Consequently, by theadjustments being performed only in the operation of the photon sharingprocessing of the photon transmitter 10, an improvement effect in securekey rate can be expected. The operator then performs, on the input unit16, the input operation of advancing to the phase of causing theshifting processor 11 to perform the shifting processing that is thesubsequent phase, after adjusting the operation of the photon sharingprocessing.

Upon receiving the operating information to cause the shifting processor11 to perform the shifting processing from the input unit 16, thecontroller 14 causes the shifting processor 11 to start the shiftingprocessing. The shifting processor 11 performs the shifting processingby using the photon bit string accumulated in the storage 17. Theestimation operation of secure key rate by the estimator 15 at the timeof performing (3) shifting processing in FIG. 5 is as discussed above.The shifting processor 11 stores (accumulates) the generated shared bitstring into the storage 17. The estimator 15 stores the calculatedestimated value of secure key rate into the storage 17. The controller14 receives the estimated value of secure key rate from the estimator 15and, as illustrated in FIG. 8, displays the received estimated value andthe initial value of secure key rate on the display 18, for example. Theoperator checks the estimated value and the initial value of secure keyrate displayed on the display 18 and, when the operator determines thata sufficient secure key rate is not yet obtained at the phase ofperforming the photon sharing processing and the shifting processingfrom the estimated value of the estimator 15, the operator performsinput operation to adjust the shifting processing of the shiftingprocessor 11 on the input unit 16 because the adjustments in the photonsharing processing have already been finished. The controller 14adjusts, based on the operating input for adjustments received by theinput unit 16, the operation of the shifting processing by the shiftingprocessor 11. Consequently, by the adjustments being performed only inthe operation of the shifting processing of the shifting processor 11,an improvement effect in secure key rate can be expected. The operatorthen performs, on the input unit 16, the input operation of advancing tothe phase of causing the error correction processor 12 to perform theerror correction processing that is the subsequent phase, afteradjusting the operation of the shifting processing.

Upon receiving the operating information to cause the error correctionprocessor 12 to perform the error correction processing from the inputunit 16, the controller 14 causes the error correction processor 12 tostart the error correction processing. The error correction processor 12performs the error correction processing by using the shared bit stringaccumulated in the storage 17. The estimation operation of secure keyrate by the estimator 15 at the time of performing (4) error correctionprocessing in FIG. 5 is as discussed above. The error correctionprocessor 12 stores (accumulates) the generated corrected bit stringinto the storage 17. The estimator 15 stores the calculated estimatedvalue of secure key rate into the storage 17. The controller 14 receivesthe estimated value of secure key rate from the estimator 15 and, asillustrated in FIG. 8, displays the received estimated value and theinitial value of secure key rate on the display 18, for example. Theoperator checks the estimated value and the initial value of secure keyrate displayed on the display 18 and, when the operator determines thata sufficient secure key rate is not yet obtained at the phase ofperforming the photon sharing processing, the shifting processing, andthe error correction processing from the estimated value of theestimator 15, the operator performs input operation to adjust the errorcorrection processing of the error correction processor 12 on the inputunit 16 because the adjustments in the photon sharing processing and theshifting processing have already been finished. The controller 14adjusts the operation of the error correction processing by the errorcorrection processor 12 based on the operating input for adjustmentsreceived by the input unit 16. Consequently, by the adjustments beingperformed only in the operation of the error correction processing ofthe error correction processor 12, an improvement effect in secure keyrate can be expected. The operator then performs, on the input unit 16,the input operation of advancing to the phase of causing the privacyamplification processor 13 to perform the privacy amplificationprocessing that is the subsequent phase, after adjusting the operationof the error correction processing.

Upon receiving the operating information to cause the privacyamplification processor 13 to perform the privacy amplificationprocessing from the input unit 16, the controller 14 causes the privacyamplification processor 13 to start the privacy amplificationprocessing. The privacy amplification processor 13 performs the privacyamplification processing by using the corrected bit string accumulatedin the storage 17. The estimation operation of secure key rate by theestimator 15 at the time of performing (5) privacy amplificationprocessing in FIG. 5 is as discussed above. The privacy amplificationprocessor 13 stores (accumulates) the generated encryption key into thestorage 17. The estimator 15 stores the calculated estimated value ofsecure key rate into the storage 17. The controller 14 receives theestimated value of secure key rate (the actual value of secure key rate)from the estimator 15 and, as illustrated in FIG. 8, displays thereceived estimated value and the initial value of secure key rate on thedisplay 18, for example. The operator checks the estimated value and theinitial value of secure key rate displayed on the display 18 and, whenthe operator determines that a sufficient secure key rate is not yetobtained at the phase of performing the photon sharing processing, theshifting processing, the error correction processing, and the privacyamplification processing from the estimated value of the estimator 15,the operator performs input operation to adjust the privacyamplification processing of the privacy amplification processor 13 onthe input unit 16 because the adjustments in the photon sharingprocessing, the shifting processing, and the privacy amplificationprocessing have already been finished. The controller 14 adjusts theoperation of the privacy amplification processing by the privacyamplification processor 13 based on the operating input for adjustmentsreceived by the input unit 16. Consequently, by the adjustments beingperformed only in the operation of the privacy amplification processingof the privacy amplification processor 13, an improvement effect insecure key rate can be expected.

By the foregoing procedure, the operator performs the adjustmentoperation to improve the secure key rate while comparing the estimatedvalue calculated at the respective phases with the initial value.

As in the foregoing, the operator can perform, at the respective phasesof (1) to (5) in the foregoing, the adjustment operation of theprocessing at the respective phases while comparing the estimated valueof secure key rate calculated by the estimator 15 (25) with the idealvalue (for example, an initial value) of secure key rate. Consequently,because the estimated value that is calculated by the estimator 15 (25)and the initial value are displayed on the display 18 (28), the operatorcan easily perform the adjustment operation to improve the secure keyrate, and thus the secure key rate can be improved easily.

As illustrated in FIG. 8, displayed on the display 18 (28) may be achange rate between the estimated value currently displayed on thedisplay 18 (28) and the estimated value calculated by the estimator 15(25) at the previous time. In this case, it only needs to configure theestimator 15 (25) so as to calculate the estimated value of secure keyrate and calculate the change rate along with it by acquiring theprevious estimated value stored in the storage 17 (27), and to configurethe controller 14 (24) so as to display the latest estimated value andthe change rate calculated by the estimator 15 (25) on the display 18(28) as illustrated in FIG. 8. By displaying the change rate in thisway, the change rate between the estimated value before adjustments andthe estimated value after adjustments can be grasped and can serve as atarget in the adjustments.

Furthermore, as illustrated in FIG. 8, the display 18 (28) is to displaythe estimated value calculated by the estimator 15 (25) together withthe initial value of secure key rate. However, it is not limited tothis, and the display 18 (28) may be configured not to display theinitial value of secure key rate. In this case, the operator is tounderstand the ideal value of secure key rate in advance, and theoperator only needs to perform the adjustment operation for therespective pieces of processing such that the estimated value displayedon the display 18 (28) comes closer to the ideal value.

As illustrated in FIG. 9, the display 18 (28) may be configured todisplay, by a bar chart, the estimated value of secure key rate and theinitial value received from the controller 14 (24). Consequently, theoperator can visually recognize the difference between the estimatedvalue of secure key rate and the initial value instantaneously.

As illustrated in FIG. 10, the display 18 (28) may be configured todisplay a graphic chart in which the estimated value is plotted in thetime series. In this case, together with the graphic chart, bydisplaying the line of the initial value of secure key rate, theoperator can visually recognize the target of adjustments in the securekey rate and can perceive the effect of adjustment operation on thesecure key rate at the respective phases of (1) to (5) in the foregoing.

As illustrated in FIG. 11, the display 18 (28) may be configured todisplay a line indicative of an operational level together with thegraphic chart in which the estimated value is plotted in the timeseries. The operational level means a secure key rate at whichencryption keys that enable encrypted data communication at certainquality to be performed can be generated, for example. With thisoperational level also, the operator can visually recognize the targetof adjustments in the secure key rate and can perceive the effect ofadjustment operation on the secure key rate at the respective phases of(1) to (5) in the foregoing.

The display 18 (28) may be configured to display, in addition to thedisplay items in FIG. 8, at least one of the measurement values (thenumber of shared photons, the sample QBER, the QBER, the informationleakage amount, and the processing time) of the respective pieces ofprocessing, for example. The display 18 (28) may be configured tofurther display, in addition to those measurement values, the initialvalues corresponding to the respective measurement values. The display18 (28) may be configured to display, for those measurement values, agraphic chart plotted in the time series in the same manner as thatillustrated in FIG. 10, and in addition to this, may display the lineindicative of the initial value of the respective measurement values.

While both the transmitter 1 a and the receiver 2 a are to include thedisplay (the display 18, 28) as illustrated in FIG. 7 in the foregoing,they are not limited to this, and either the transmitter 1 a or thereceiver 2 a may be configured to include the display. For example, whenboth the transmitter 1 a and the receiver 2 a include the displays andeither the transmitter 1 a or the receiver 2 a only includes theestimator, it is sufficient that the estimator transmits the calculatedestimated value of secure key rate to the QKD apparatus that is notprovided with an estimator via a classical communication channel.

Second Modification

A QKD apparatus according to a second modification will be describedwith a focus on the difference from the QKD apparatus (the transmitter 1a and the receiver 2 a) in the above-described first modification. TheQKD apparatus in the second modification further includes a determinerand a notifier, in addition to the respective functional units includedin the QKD apparatus in the first modification.

FIG. 12 is a block diagram illustrating one example of the configurationof functional blocks of the QKD apparatus in the second modification.With reference to FIG. 12, the configuration of functional blocks of theQKD apparatus (a transmitter 1 b, a receiver 2 b) in the secondmodification will be described.

As illustrated in FIG. 12, the transmitter 1 b includes the photontransmitter 10 (which may be referred to as a quantum-key sharer), theshifting processor 11 (which may be referred to as a shifter), the errorcorrection processor 12 (which may be referred to as a corrector), theprivacy amplification processor 13 (which may be referred to as aprivacy amplifier), the controller 14, the estimator 15, the input unit16, the storage 17, the display 18, a determiner 19 a, and a notifier 19b.

The determiner 19 a is a functional unit that determines whether theestimated value of secure key rate calculated by the estimator 15satisfies a given condition. The determiner 19 a further causes thenotifier 19 b to notify when the given condition is satisfied. Forexample, the determiner 19 a is assumed to be configured to determinewhether the estimated value of secure key rate has reached anoperational level as the given condition, and when the estimated valueis at the operational level or higher, the determiner 19 a causes thenotifier 19 b to notify of that fact. Alternatively, the determiner 19 amay be assumed to be configured to determine whether the estimated valueof secure key rate has fallen below a level at which operation isdisabled as the given condition, and when the estimated value is belowthe level at which operation is disabled, the determiner 19 a may causethe notifier 19 b to notify of that. The determiner 19 a is implementedby the CPU 80 illustrated in FIG. 2 reading out and executing thecomputer program stored in the auxiliary storage device 86 and othersonto the RAM 82. The determiner 19 a may be implemented by a hardwarecircuit.

The notifier 19 b is a functional unit that notifies, based on a commandof the determiner 19 a, by audio output and others that, when thedeterminer 19 a determines that the estimated value of secure key ratesatisfies the given condition, the value satisfies the given condition.The notifier 19 b is implemented by the speaker 88 illustrated in FIG.2.

As illustrated in FIG. 12, the receiver 2 b includes the photon receiver20 (which may be referred to as a quantum-key sharer), the shiftingprocessor 21 (which may be referred to as a shifter), the errorcorrection processor 22 (which may be referred to as a corrector), theprivacy amplification processor 23 (which may be referred to as aprivacy amplifier), the controller 24, the estimator 25, the input unit26, the storage 27, the display 28, a determiner 29 a, and a notifier 29b.

The determiner 29 a is a functional unit that determines whether theestimated value of secure key rate calculated by the estimator 25satisfies a given condition. The determiner 29 a causes the notifier 29b to notify of that, when the given condition is satisfied, the givencondition is satisfied. The determiner 29 a is implemented by the CPU 80illustrated in FIG. 2 reading out and executing the computer programstored in the auxiliary storage device 86 and others onto the RAM 82.The determiner 29 a may be implemented by a hardware circuit.

The notifier 29 b is a functional unit that notifies, based on a commandof the determiner 29 a, by audio output and others that, when thedeterminer 29 a determines that the estimated value of secure key ratesatisfies the given condition, the value satisfies the given condition.The notifier 29 b is implemented by the speaker 88 illustrated in FIG.2.

The notifiers 19 b and 29 b are not limited to outputting sound, and maybe configured to notify by a lamp display and others. The display 18(28) may be configured to change the display format (font color, colorof bar chart, and others) of the estimated value of secure key rate orto display a message stating that the given condition is satisfied, whenthe estimated value of secure key rate satisfies the given condition.The function in the display 18 (28) to change the display in this mannerprovides the same function as the notification function by the notifier19 b (29 b).

As in the foregoing, the operator performs the adjustments of processingat the respective phases while checking the estimated value of securekey rate on the display 18 (28), and in addition to that, the notifier19 b (29 b) is configured to notify the operator, when the determiner 19a (29 a) determines that the estimated value satisfies the givencondition, that the value satisfies the given condition. Consequently,the operator can not only check the estimated value visually but alsorecognize aurally that the given condition is satisfied (for example,the estimated value is at an operational level or higher), and thus theoperator can perform the adjustment operation to improve the secure keyrate more easily.

The computer program that is executed by the QKD apparatus in theabove-described embodiment and the respective modifications may beembedded in the ROM 81 and the like in advance before it is provided.

The computer program executed by the QKD apparatus in theabove-described embodiment and the respective modifications may beconfigured to be provided, as a computer program product, in a file ofan installable format or of an executable format recorded on a computerreadable recording medium such as a compact-disc read only memory(CD-ROM), a flexible disk (FD), a compact disc recordable (CD-R), and adigital versatile disc (DVD).

The computer program executed by the QKD apparatus in theabove-described embodiment and the respective modifications may beconfigured to be stored on a computer connected to a network such as theInternet and to be provided by downloading via the network. Furthermore,the computer program executed by the QKD apparatus in theabove-described embodiment and the respective modifications may beconfigured to be provided or distributed via a network such as theInternet.

The computer program executed by the QKD apparatus in theabove-described embodiment and the respective modifications can make acomputer function as the foregoing respective functional units of theQKD apparatus. In the computer, the CPU 80 can read out and execute thecomputer program from a computer readable storage medium onto a mainstorage device.

While certain embodiments have been described, these embodiments havebeen presented by way of example only, and are not intended to limit thescope of the inventions. Indeed, the novel embodiments described hereinmay be embodied in a variety of other forms; furthermore, variousomissions, substitutions and changes in the form of the embodimentsdescribed herein may be made without departing from the spirit of theinventions. The accompanying claims and their equivalents are intendedto cover such forms or modifications as would fall within the scope andspirit of the inventions.

What is claimed is:
 1. A quantum-key distribution apparatus comprising:a quantum-key sharer configured to perform photon sharing processing inwhich a stream of photons is shared with another quantum-keydistribution apparatus by quantum key distribution via a quantumcommunication channel for photons and to acquire a photon bit stringcorresponding to the stream of photons based on generated basisinformation; a shifter configured to generate a shared bit string fromthe photon bit string by performing shifting processing based on thebasis information on the quantum-key sharer and on the anotherquantum-key distribution apparatus; a corrector configured to generate acorrected bit string by correcting errors included in the shared bitstring by performing error correction processing; a privacy amplifierconfigured to generate encryption keys by performing privacyamplification processing in which the corrected bit string is compressedbased on the number of errors; and an estimator configured to estimate,at execution phases of respective pieces of processing of the photonsharing processing, the shifting processing, the error correctionprocessing, and the privacy amplification processing, an encryption-keygeneration rate indicative of a generation amount of the encryption keysper unit time based on an output value output in processing that hasbeen performed out of the respective pieces of processing and a givenvalue corresponding to an output value of processing not yet performedout of the respective pieces of processing.
 2. The quantum-keydistribution apparatus according to claim 1, wherein the given value isa value defined based on a past value of the output value-correspondingto the given value.
 3. The quantum-key distribution apparatus accordingto claim 1, wherein the quantum-key sharer outputs the number of photonsof the stream of photons shared by performing the photon sharingprocessing as the output value, the corrector calculates an error ratein the quantum communication channel from the number of errors byperforming the error correction processing and outputs the error rate asthe output value, and the privacy amplifier outputs processing timeuntil the encryption key is generated based on the stream of photons byperforming the privacy amplification processing as the output value. 4.The quantum-key distribution apparatus according to claim 3, wherein theshifter calculates a tentative error rate in the quantum communicationchannel based on bit information on a part of the shared bit stringgenerated by performing the shifting processing and outputs thetentative error rate as the output value.
 5. The quantum-keydistribution apparatus according to claim 1, further comprising adisplay configured to display information concerning an estimated valueof the encryption-key generation rate estimated by the estimator.
 6. Thequantum-key distribution apparatus according to claim 5, wherein thedisplay displays information indicative of changes in the estimatedvalue in time series as the information concerning the estimated value.7. The quantum-key distribution apparatus according to claim 1, furthercomprising a controller configured to make adjustments in operation ofprocessing that is being performed when the estimated value is estimatedby the estimator out of the respective pieces of processing and that ison a downstream side, based on a difference between an estimated valueof the encryption-key generation rate estimated by the estimator, and avalue of the encryption-key generation rate that is obtained based onthe given value corresponding to the respective pieces of processingwhen all of the respective pieces of processing have not been performed.8. The quantum-key distribution apparatus according to claim 7, furthercomprising: an input unit configured to receive operating input; and adisplay configured to display information concerning the estimated valueestimated by the estimator, wherein the controller performs theadjustments in accordance with operating input received by the inputunit based on the information concerning the estimated value displayedon the display.
 9. The quantum-key distribution apparatus according toclaim 8, further comprising: a determiner configured to determinewhether the estimated value satisfies a given condition; and a notifierconfigured to notify, when the determiner determines that the estimatedvalue satisfies the given condition, that the value satisfies the givencondition.
 10. A quantum-key distribution method comprising: performingphoton sharing processing in which a stream of photons is shared withanother quantum-key distribution apparatus by quantum key distributionvia a quantum communication channel for photons to acquire a photon bitstring corresponding to the stream of photons based on generated basisinformation; generating a shared bit string from the photon bit stringby performing shifting processing based on the basis information at thequantum-key sharing and the basis information on the another quantum-keydistribution apparatus; generating a corrected bit string by correctingerrors included in the shared bit string by performing error correctionprocessing; generating encryption keys by performing privacyamplification processing in which the corrected bit string is compressedbased on the number of errors; and estimating, at execution phases ofrespective pieces of processing of the photon sharing processing, theshifting processing, the error correction processing, and the privacyamplification processing, an encryption-key generation rate indicativeof a generation amount of the encryption keys per unit time based on anoutput value output in processing that has been performed out of therespective pieces of processing and a given value corresponding to anoutput value of processing not yet performed out of the respectivepieces of processing.
 11. A computer program product comprising acomputer-readable medium containing a program executed by a computer,the program causing the computer to execute: performing photon sharingprocessing in which a stream of photons is shared with anotherquantum-key distribution apparatus by quantum key distribution via aquantum communication channel for photons to acquire a photon bit stringcorresponding to the stream of photons based on generated basisinformation; generating a shared bit string from the photon bit stringby performing shifting processing based on the basis information at thequantum-key sharing and the basis information on the another quantum-keydistribution apparatus; generating a corrected bit string by correctingerrors included in the shared bit string by performing error correctionprocessing; generating encryption keys by performing privacyamplification processing in which the corrected bit string is compressedbased on the number of errors; and estimating, at execution phases ofrespective pieces of processing of the photon sharing processing, theshifting processing, the error correction processing, and the privacyamplification processing, an encryption-key generation rate indicativeof a generation amount of the encryption keys per unit time based on anoutput value output in processing that has been performed out of therespective pieces of processing and a given value corresponding to anoutput value of processing not yet performed out of the respectivepieces of processing.